From d6e5fc10e417efdf8665d9fba57c269f0534072f Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Fri, 1 Nov 2019 11:10:31 +0100
Subject: [Backport] Fix for CVE-2019-13720
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Obtain graph/process lock when nullifying the buffer in Reverb

When the buffer is set to `null` while there is an active buffer
within a reverb object, SetBuffer() function can prematurely
nullify the `reverb_` and `shared_buffer_` while it is still
being accessed by the rendering thread.

This CL adds two locks (graph lock and process lock) when the
buffer gets nullified to ensure the synchronization between
two threads.

(cherry picked from commit 6a2e670a243b815cf043f8da4d26ecb9a64d307b)

Change-Id: I8f501b6a16b3c7e16db767e0b279a1a53d6eb290
Bug: 1019226
Reviewed-on:
https://chromium-review.googlesource.com/c/chromium/src/+/1888103
Commit-Queue: Hongchan Choi <hongchan@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#710627}
Reviewed-on:
https://chromium-review.googlesource.com/c/chromium/src/+/1889510
Reviewed-by: Krishna Govind <govind@chromium.org>
Cr-Commit-Position: refs/branch-heads/3953@{#8}
Cr-Branched-From:
b5ceb94d4b9a2f629c84df1be72f9e3d0a79fd2d-refs/heads/master@{#710313}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
---
 chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc
index a0c05beab71..066ed521d09 100644
--- a/src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc
+++ b/src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc
@@ -95,6 +95,8 @@ void ConvolverHandler::SetBuffer(AudioBuffer* buffer,
   DCHECK(IsMainThread());
 
   if (!buffer) {
+    BaseAudioContext::GraphAutoLocker context_locker(Context());
+    MutexLocker locker(process_lock_);
     reverb_.reset();
     buffer_ = buffer;
     return;
-- 
cgit v1.2.1


